Re: disabled SSL log_like tests
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Thomas Munro <thomas.munro@gmail.com>
Cc: Andrew Dunstan <andrew@dunslane.net>,
PostgreSQL-development <pgsql-hackers@postgresql.org>,
Jacob Champion <jacob.champion@enterprisedb.com>
Date: 2025-05-07T01:18:11Z
Lists: pgsql-hackers
I wrote:
> Yeah, I see that too. But I also see three failures in 002_scram.pl,
> which presumably were there before e0f373ee. (Tested on OpenBSD 7.6
> and 7.7.) The buildfarm's OpenBSD animals haven't caught this
> because they don't run this test suite :-(.
I dug into this with gdb, and it seems like it's an omission in
LibreSSL's RSA-PSS support. We're requesting a signature algorithm
with code 2054, which in their source is SIGALG_RSA_PSS_RSAE_SHA512,
and that leads them to this sigalgs[] table entry in
lib/libssl/ssl_sigalgs.c:
{
.value = SIGALG_RSA_PSS_RSAE_SHA512,
.key_type = EVP_PKEY_RSA,
.md = EVP_sha512,
.security_level = 5,
.flags = SIGALG_FLAG_RSA_PSS,
},
The problem is that the private key has key_type EVP_PKEY_RSA_PSS
which is not equal to EVP_PKEY_RSA, so ssl_sigalg_pkey_ok() in the
same file rejects this entry as not compatible. In fact, there
are *no* entries in sigalgs[] that can match a PSS private key
according to ssl_sigalg_pkey_ok(). So while perhaps
SIGALG_RSA_PSS_RSAE_SHA512 is the wrong thing for us to request,
I do not see a right thing.
Looking around a little more, there are places like
SSL_get_signature_type_nid() that do things like this:
*nid = sigalg->key_type;
if (sigalg->key_type == EVP_PKEY_RSA &&
(sigalg->flags & SIGALG_FLAG_RSA_PSS))
*nid = EVP_PKEY_RSA_PSS;
So it seems like this might be a simple oversight in
ssl_sigalg_pkey_ok(), which doesn't make any such correction:
if (sigalg->key_type != EVP_PKEY_id(pkey))
return 0;
Anyone know anything about where to submit LibreSSL bugs?
regards, tom lane
Commits
-
Skip RSA-PSS ssl test when using LibreSSL.
- cad781b3e5de 16.10 landed
- 95129709fd9b 18.0 landed
- 793aa989f8e4 15.14 landed
- 3007fee7f292 17.6 landed
-
Ooops ... add required configure support.
- 00811a96ac45 15.14 landed
-
Hack one ssl test case to pass with current LibreSSL.
- 75d73331d014 18.0 landed
-
Centralize ssl tests' check for whether we're using LibreSSL.
- 976a8c2170f1 17.6 landed
- 27fbf7cb6391 16.10 landed
- 1ddb9e14eadf 15.14 landed
- 0aaf69965dbd 18.0 landed
-
Re-enable SSL connect_fails tests, and fix related race conditions.
- e0f373ee42a4 18.0 landed
-
Disable unstable test cases in src/test/ssl/t/001_ssltests.pl.
- 55828a6b6084 16.0 cited